A recent article on the cybersecurity risks posed by mergers and acquisitions begins:
When companies merge, it creates significant cybersecurity challenges in two main ways: firstly, challenges arise in integrating disparate security infrastructures, and secondly, an M&A transaction brings together diverse organizational cultures which presents its own challenges from a cyber perspective. Yet the limited involvement of IT and cybersecurity within M&A teams can lead to cybersecurity considerations taking a back seat early in the process, potentially resulting in unforeseen vulnerabilities and risks.
Guardian Healthcare in Pennsylvania was going through restructuring when they became the victim of a ransomware attack by someone using Stormous ransomware. And when they didn’t pay the threat actors’ demands by mid-October, Stormous leaked 3 GB of files, many of which contain protected health information (PHI) of patients. The leak does not appear to include the EMR system or entire databases, but it does include a lot of individual files with sensitive information — files that appear to trigger notification requirements under HIPAA.
Finding nothing on Guardian Healthcare’s website that indicated they were aware of any breach or were responding to it, DataBreaches reached out to them via email on Wednesday. DataBreaches asked them if they were aware of the apparent breach, and if so, what were they doing in response. In case they were not aware they had been breached, the email included a link to the data tranche and some text from some of the files.
Guardian Healthcare did not reply, but DataBreaches asked Stormous some questions about the incident. One of the questions this site posed was whether Guardian had been targeted because it was undergoing restructuring and might be more vulnerable to attack. The spokesperson for Stormous was unable to answer that, saying, “Perhaps it’s not about that, or it depends on the concept or approach of the person affiliated with our RaaS.” In other words, they did not know why the affiliate targeted Guardian. But the spokesperson did say that the affiliate first gained access to several accounts through Office, impersonating accounts to target a list of key employees there or in groups that had been created by Guardian.
“Some accesses were successful while others failed, and 7GB of data was extracted, with 3GB being somewhat important and subsequently leaked,” the spokesperson told DataBreaches. They added that Guardian did know about the breach and there was some contact with them, “but they did not respond significantly to the incident, so the final solution was to leak the data.”
Stormous also confirmed that Guardian’s files were encrypted during the attack.
Does Guardian have usable backups, or has some patient data been corrupted or lost because of the attack? We do not know because Guardian has not issued any statement or preliminary notice about the incident. And of course, the affected patients likely have no idea that their data has been publicly leaked.
DataBreaches will update this post if more information becomes available.